Question about OpenSSH CPE

Hi all,

I noticed that GVM reports product CPE in a wrong format when it is a patch version.

For example, following is the CPE that GVM built for OpenSSH Server 8.9p1: cpe:/a:openbsd:openssh:8.9p1. The correct CPE should be cpe:/a:openbsd:openssh:8.9:p1.

Hi,

You messing up Patch and Portable, there is OpenSSH 8.9 and OpenSSH 8.9p1 (Portable) that is not a patch level.

4 Likes

Yeah. I’m very sorry for my misunderstanding. I searched the CPE in NVD - Search (nist.gov) but could not find it, then I rushed to conclude that the CPE format is wrong. Now I can find information about OpenSSH Portable here: OpenSSH: Portable Release. Thank you for explaining.

1 Like

Strange enough it seems that the NVD had switched from using the “correct” CPE cpe:/a:openbsd:openssh:4.4p1 to using cpe:/a:openbsd:openssh:4.4:p1 like seen in e.g.:

https://nvd.nist.gov/vuln/detail/CVE-2021-36368#range-7818946

@panajo1017 You might want to contact the NVD via https://www.nist.gov/about-nist/contact-us to get this corrected back so that the p1 isn’t added to the Update Component part of the CPE because p1 is actually not an update / patch as we have now concluded.

1 Like